Tuesday, 2021-10-12

« Monday, 2021-10-11 Index Wednesday, 2021-10-13 »
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-haproxy_server stable/wallaby: Fix PKI regen behaviour  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356807:25
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-haproxy_server stable/wallaby: Fix typo for user supplied certificate variable  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356907:25
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server stable/wallaby: Fix PKI regen behaviour  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356809:51
opendevreviewDmitriy Rabotyagov proposed openstack/openstack-ansible-haproxy_server stable/wallaby: Fix typo for user supplied certificate variable  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356909:51
opendevreviewAndrew Bonney proposed openstack/openstack-ansible-haproxy_server stable/wallaby: Fix typo for user supplied certificate variable  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356910:00
opendevreviewMerged openstack/openstack-ansible-os_tempest stable/wallaby: Pin neutron-tempest-plugin to v1.6.0  https://review.opendev.org/c/openstack/openstack-ansible-os_tempest/+/81319812:17
noonedeadpunkandrewbonney: should we also merge and backport https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/811985 ?12:53
andrewbonneyYes it's ready to go as far as I'm concerned. I've done two production deploys with the patch in place12:53
noonedeadpunknice12:54
andrewbonneySame for this backport https://review.opendev.org/c/openstack/openstack-ansible/+/81309912:55
noonedeadpunkoh, yes, I missed it(12:58
fridtjof[m]hm, I'm encountering issues on a v -> w upgrade :(14:11
fridtjof[m]os-keystone-install is failing with this: https://paste.opendev.org/show/809924/14:11
fridtjof[m]what's confusing me is that keystone shouldn't have a repo directory, right? that should only be in a repo container14:11
opendevreviewMerged openstack/openstack-ansible-haproxy_server stable/wallaby: Fix PKI regen behaviour  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356814:25
opendevreviewMerged openstack/openstack-ansible-haproxy_server stable/wallaby: Fix typo for user supplied certificate variable  https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/81356914:28
jrosserfridtjof[m]: in the tasks before the one pasted you should see where that file has been written to14:32
jrosserand you can see that the task was delegated to the repo container "[infra1_keystone_container-42e7d94a -> 10.1.60.153]"14:33
fridtjof[m]ah, i didn't realize that.14:35
fridtjof[m]Looking at the tasks before that, it reads like it might've skipped more than it should?14:36
fridtjof[m]I don't have logs for it unfortunately (too short terminal buffer :( ), but an earlier attempt failed somewhere else related to the repository (i think?)14:36
fridtjof[m]so that might actually be a knock-on effect14:36
fridtjof[m]i could try re-running whatever sets up the repo containers...14:37
fridtjof[m](full log of this run: https://paste.debian.net/1215151/)14:39
fridtjof[m]nope, same results after re-running repo-install14:48
mgariepyare you sure all the osa git repo are up-to-date ?14:50
mgariepyi had issue recently for some reason that repo-build wasn't updated and it caused something similar to that.14:50
mgariepyfridtjof[m], ^^14:57
fridtjof[m]I just went for the latest 23.* tag, checked out today14:58
fridtjof[m]I'll check again later14:59
noonedeadpunk#startmeeting openstack_ansible_meeting15:00
opendevmeetMeeting started Tue Oct 12 15:00:23 2021 UTC and is due to finish in 60 minutes.  The chair is noonedeadpunk. Information about MeetBot at http://wiki.debian.org/MeetBot.15:00
opendevmeetUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.15:00
opendevmeetThe meeting name has been set to 'openstack_ansible_meeting'15:00
noonedeadpunk#topic office hours15:00
noonedeadpunkso, next week is week of PTG15:01
noonedeadpunkand https://etherpad.opendev.org/p/osa-yoga-ptg is pretty empty :(15:01
noonedeadpunkalso - I guess it's we time switched master to stable/xena not to follow master and not to face bugs?15:02
noonedeadpunk*it's time we switched15:03
spatelnoonedeadpunk i added one line :) 15:15
spateljamesdenton i have blog out for VPN with keepalived for high availability https://satishdotpatel.github.io/ha-strongswan-ipsec-vpn/15:28
noonedeadpunk#endmeeting15:36
opendevmeetMeeting ended Tue Oct 12 15:36:18 2021 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)15:36
opendevmeetMinutes:        https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-10-12-15.00.html15:36
opendevmeetMinutes (text): https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-10-12-15.00.txt15:36
opendevmeetLog:            https://meetings.opendev.org/meetings/openstack_ansible_meeting/2021/openstack_ansible_meeting.2021-10-12-15.00.log.html15:36
jamesdentonthanks, spatel15:36
noonedeadpunkwell, vpnaas is not the case for OVN :(15:36
noonedeadpunkI wish it was though15:37
spatelwhy not ?15:37
spatelbecause of no namespace? 15:37
noonedeadpunkyeah15:37
noonedeadpunkand no interest/maintainers even for ovs/lxb implementation (15:38
spatelthere must be other workaround 15:38
noonedeadpunkcreate several VM's with keepalived on them or following your blogpost?15:38
jamesdentonprobably just easier to build some heat template or something for VPN concentrator15:39
noonedeadpunkyeah, or that actually15:39
noonedeadpunkor leverage magnum ? I guess there should be smth deployable inside k8s?15:39
spatelmy blog is for my new datacenter VPN access to have redundancy in keepalived but sure look like we have to deploy VPN outside openstack 15:39
noonedeadpunkwell, I guess it can work inside openstack as well if needed...15:40
spatelhttps://specs.openstack.org/openstack/neutron-specs/specs/xena/vpnaas-ovn.html15:40
noonedeadpunkoh, wow15:44
noonedeadpunkthere's even a patch https://review.opendev.org/c/openstack/neutron-vpnaas/+/76535315:45
noonedeadpunkwow15:45
spatelyeah!! 15:46
spateli should test that :) 15:47
spatelnoonedeadpunk currently we don't have good way to recover rabbitMQ in OSA :(15:47
noonedeadpunkwell, during last PTG iirc neutron folks was like talking that they're not going even to spend time on this atm15:47
noonedeadpunkrecover in terms of..?15:48
noonedeadpunkif it's fully dead and re-setuped?15:48
spatellast week two time i nuke rabbitMQ cluster and rebuild it 15:48
noonedeadpunkor to complete maintenances/upgrades beter?15:48
spatelits keep dying, i think i need to upgrade more memory 15:48
mgariepyspatel. stop all and start back15:48
spatelnothing work :(15:48
noonedeadpunkthere's a tag `common-mq` so you can run setup-openstack.yml with it and it's creating all vhosts/users for all services relatively fast I'd say15:49
spateli did stop but that stop went for 1 hour and then finally i have to kill it and whole cluster was in non-recoverable mode15:49
spatelwow! where is that common-mq ?15:49
spateli wrote my own script to create vhost/user/password/ etc.. and i hate that.. 15:50
noonedeadpunkin each role where mq_setup is included, ie https://opendev.org/openstack/openstack-ansible-os_glance/src/branch/master/tasks/main.yml#L7515:50
noonedeadpunkwell, it's not instant, but acceptable imo15:50
noonedeadpunkand worked for me lately15:51
spatelso if i run openstack-ansible rabbitmq-server.yml --tags common-mq  will create all account?15:51
noonedeadpunk`setup-openstack.yml` 15:51
spateloh! 15:51
mgariepyis that documented ? :/15:52
noonedeadpunkbut it will run only tasks regarding rabbit setup15:52
noonedeadpunkofc not15:52
spatelwhy don't we have something more quicker way, just read endpoint and create those account quickly 15:52
noonedeadpunkbecause we kind of don't know credentials?15:53
noonedeadpunksince they are defined for each role independently15:53
spateluser_secret.yml file 15:53
noonedeadpunkand vhost? username?15:53
spatelcan't we read-password from that place?15:53
noonedeadpunkif we should use ssl? And what rabbit server to talk to?15:54
noonedeadpunkbecause back to the usecase - we had a rabbit cluster per service15:54
spatelrabbitmqctl add_user nova c737e038d2a49696411240e12c362d4f431bbb67a405a0bcb8e415:54
spatelrabbitmqctl add_user glance c42769fddfe6799a6efd8e3330ee5f29e8c99387dfa8c815:54
noonedeadpunkhow do you know username is nova?15:54
spateland craft this command to run15:54
spatel[root@ostack-osa-2 ~]# cat /etc/openstack_deploy/user_secrets.yml | grep nova_o15:55
spatelnova_oslomsg_rpc_password: c737e038d2a49696411240e12c362d4f431bbb67a405a0bcb8e415:55
noonedeadpunkit doesn't mean username is nova15:55
noonedeadpunkbecause that is defined with nova_oslomsg_rpc_userid15:56
spatelwhy someone will change userid?15:56
spateli am seeing all service has same userid what ever service name15:57
spatelglance / nova/ neutron etc...15:57
noonedeadpunkwell, returning back to usecase I was having - separate rabbit clusters for each service15:58
spatelwhatever script i created it read this user_secret.yml file and craft all rabbitMQ command to add username/password and run them on rabbit container, its working fine so far..15:58
spatelnoonedeadpunk no kidding :O15:58
noonedeadpunkso you actually override glance_oslomsg_rpc_host_group 15:58
spatelwhy are you doing that way?15:58
spateleach service has own cluster?15:59
noonedeadpunkyes, this can be done, but it would be pretty opionated15:59
noonedeadpunkin the way of not taking into account plenty of other usecases15:59
spateli know what you saying.. 15:59
noonedeadpunkyep, each service had own independant rabbitmq clusters15:59
spatelthat would be overkill right?15:59
noonedeadpunkwhile running playbook would still do exactly the same thing without need of extra maintenance, when new role is being added16:00
spatelonly neutron and nova is bigger consumer of rabbit (forget about gnocchi)16:00
noonedeadpunkdepends on the region size... Because eventually the only way to scale up rabbit is to make more clusters or disable ha_queues16:00
noonedeadpunkwell, yes, I agree that you don't need that for _each_ service16:01
spateli heard disable ha_queues cause issue16:01
spatelis that true o?16:01
noonedeadpunkbut if you automate that process - it's just easier to align all of them kind of16:01
noonedeadpunkit causes issues when one of rabbit nodes outages....16:01
noonedeadpunkwell, it used to cause issues16:01
noonedeadpunkbut, having ha_queues is a performance penalty...16:02
spateli am thinking to remove ha_queue (i don't need HA because this is my private cloud)16:02
spateldo you know good way to disable HA in OSA ?16:02
spatelany variable etc..16:02
noonedeadpunksure16:03
noonedeadpunkjust define `rabbitmq_policies: []` in overrides16:04
noonedeadpunkto override that https://opendev.org/openstack/openstack-ansible/src/branch/master/inventory/group_vars/all/infra.yml#L27-L3116:04
spateloh! 16:04
SiavashSardari@noonedeadpunk what do you mean by not using ha queues used to cause issue?16:05
spateli heard somewhere, i don't have personal experience because i am running in ha 16:06
spatelif anyone running in non-HA please tell us how do you feel , i would love to know16:06
noonedeadpunkSiavashSardari: so, when one of rabbitmq cluster members was going down, and returning back to life - it didn't have queues, but services were supposing it has them, so while cluster was healthy, and services were able to communicate with all members, there were some interminnent erorrs while doing requests to apis16:08
noonedeadpunkBut I was seeing that in stein last time. After that I switched to HA queues and forgot about the issues16:08
SiavashSardaricouple of years ago I used zeromq due to higher performance and if I recall correctly we didn't have any problem but the fear of failure led us to rabbit with ha queues16:08
noonedeadpunkso, the problem was at time, when "faulty" node was re-joining cluster16:09
noonedeadpunkbut it might be somehow fixed in oslo or actually with rabbit version bumps16:09
noonedeadpunkI haven't really tested anywhere since then16:10
spatelproblem is in lab you won't see this kind of issue until you deploy in production with real-workload 16:10
SiavashSardariinteresting...16:10
noonedeadpunkalso solution to that (except ha queues) was jsut dropping all queues in cluster, so that services jsut re-created them from scratch16:10
noonedeadpunk(which is actually what rabbitmq-install.yml -e rabbitmq_upgrade` also does...)16:11
jamesdentonQQ re: octavia and trove roles. Are we hardset on the use of a second bridge and related wiring to provide access from container->amphora and db VMs, or can we phase that out in favor of L3 connectivity? Or at least maybe provide a way to choose?16:11
noonedeadpunkI'd vote on simplification of networking about octavia/trove, but I'm not sure I understand the way how l3 networking could be done there in other way?16:14
noonedeadpunklike just routing?16:14
jamesdentonyeah, just routing16:15
jamesdentonright now, the lxc container is wired up to second bridge and some funky stuff is used to connect16:15
jamesdentoni need to spend a little time on it16:16
johnsomYeah, I never understood why so many bridges were needed for the Octavia lb-mgmt-net in OSA.16:16
noonedeadpunkyeah. but I guess you would need to have vlan network to route that?16:16
jamesdentonIIRC it was meant to be 'temporary' :D16:17
noonedeadpunkand vlan should be managed not by l3 router but by upstream router?16:17
jamesdentonnoonedeadpunk yes, it would need to be a vlan. lbaas-mgmt would need to be a provider vlan, essentially16:17
SiavashSardariwhile we're on the networking part of octavia and trove. I had an issue regarding the connectivity of containers to amphora. the root cause was the use of http proxy on containers, I override 'global_environment_variables' in group vars and my problem was kinda solved. but I think there may be a better solution here16:17
noonedeadpunkI mean - there should be a point which would have access to both - some container net and octavia net16:18
noonedeadpunkand I guess just l3 connectivity is just matter of documentation?16:19
jamesdentondocs + diagram16:19
noonedeadpunkwell, yes16:19
jamesdentoni'm doing it now w/ octavia, but need to look at the overrides i have in place to make that go. Trove is less forgiving. 16:19
johnsomOctavia fully supports a routed solution. There is nothing special about that network, it's just a neutron network the amps sit on for command/control. 16:19
jamesdentonexactly16:20
noonedeadpunkwith trove it's a bit harder, because dbaas net should be not on trove_api but on rabbitmq container16:20
jamesdentonrabbit? really?16:20
noonedeadpunkyeah16:20
noonedeadpunktrove communicates with agents through rabbit16:20
noonedeadpunkso like rabbit exposed to VMs16:21
jamesdentonwell, that's no different that lxb or ovs agent, right?16:21
noonedeadpunk(and that is why it's kind of better to have independent rabbit cluster for it as well)16:21
noonedeadpunkyeah, I guess so)16:21
noonedeadpunkbut to sum up - I'm all for to document the way for just l3 connectivity16:25
jamesdentoncool16:25
noonedeadpunkif somebody have interest or time for that:)16:25
jamesdentoni will work on that16:25
noonedeadpunkawesome!16:25
johnsomjamesdenton Add me as a reviewer and I will also give it a look over16:25
noonedeadpunkbecause it will really simplify lives for many16:25
jamesdentonthanks johnsom 16:26
*** wt is now known as _wt_23:25
« Monday, 2021-10-11 Index Wednesday, 2021-10-13 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!